Unconditionally secure quantum bit commitment is impossible 
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The claim of quantum cryptography has always been that 
it can provide protocols that are unconditionally secure, that 
is, for which the security does not depend on any restriction 
on the time, space or technology available to the cheaters. 
We show that this claim does not hold for any quantum bit 
commitment protocol. Since many cryptographic tasks use 
bit commitment as a basic primitive, this result implies a 
severe setback for quantum cryptography. The model used 
encompasses all reasonable implementations of quantum bit 
commitment protocols in which the participants have not met 
before, including those that make use of the theory of special 
relativity. 
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a. Introduction. Quantum cryptography is often as- 
sociated with a cryptographic application called key dis- 
tribution jl],^] and it has achieved success in this area || . 
However, other applications of quantum mechanics to 
cryptography have also been considered and a basic cryp- 
tographic primitive called bit commitment, the main fo- 
cus of this letter, was at the basis of most if not all of 
these other applications PPUT^,^ . 

In a concrete example of bit commitment, a party, Al- 
ice, writes a bit & on a piece of paper and puts it into a 
safe. She gives the safe to another party, Bob, but keeps 
the key. The objective of this scheme, and of bit com- 
mitment in general, is that Alice cannot change her mind 
about the value of the bit b, but meanwhile Bob cannot 
determine the bit b. At a later time, if Alice wants to 
unveil b to Bob, she gives the key to Bob. 

In 1993, a protocol was proposed to realize bit com- 
mitment in the framework of quantum mechanics, and 
the unconditional security (see sections |b| and |c|) of this 
protocol has been generally accepted for quite some time. 
However, this result turned out to be wrong. The non 
security of this protocol, called the BCJL protocol, was 
realized in the fall of 1995 |1| . After this discovery, Bras- 
sard, Crepeau and other researchers have tried to find 
alternative protocols 0]. Some protocols were based on 
the theory of special relativity. For additional informa- 
tion about the history of the result see jj| . See also jll] . 

Here it is shown that an unconditionally secure bit 
commitment protocol is impossible, unless a computing 
device, such as a beam splitter, a quantum gate, etc. can 
be simultaneously trusted by both participants in the 
protocol. This encompasses any protocol based on the 
theory of special relativity. A preliminary version of the 



proof appeared in Q]. 

b. The model for quantum protocols. It is neither 
possible in this letter to describe in detail a model for 
two-party quantum protocols, nor is it is useful for the 
purpose of this letter. The following description includes 
all that is necessary for our proof. 

In our model, a two-party quantum protocol is exe- 
cuted on a system Ha <8> Hb <S> He where Ha and Hb 
correspond to two areas, one on Alice's side and one on 
Bob's side, and He corresponds to the environment. We 
adopt the "decoherence" point of view in which a mixed 
state p of Ha^Hb is really the reduced state of Ha®Hb 
entangled with the environment He, the total system 
Ha <8 Hb <B> He always being in a pure state \ip). The 
systems Ha and Hb contain only two dimensional quan- 
tum registers. Higher dimensional systems can be con- 
structed out of two dimensional systems. Alice and Bob 
can execute any unitary transformation on their respec- 
tive system. In particular, they can introduce new quan- 
tum registers in a fixed state |0). States that correspond 
to different number of registers can be in linear super- 
position. Any mode of quantum communication can be 
adopted between Alice and Bob. 

Without loss of generality, we can restrict ourselves to 
binary outcome measurements. The environment is of 
the form H E = H s ® He, a ® H e ,b where H$ = H s ,a ® 
H$,b is a system that stores classical bits that have been 
transmitted from Hs.a on Alice's side to Hs,b on Bob's 
side or vice versa, and He, a and He,b store untransmit- 
ted classical bits that are kept on Alice's side and Bob's 
side respectively. To execute a binary outcome measure- 
ment, a participant P S {A, B}, where A and B stand for 
Alice and Bob respectively, introduces a quantum regis- 
ter in a fixed state |0). The participant P entangles this 
register with the measured system initially in a state \<f>) 
and obtains a new state of the form a |O)|0o) + >3 |l)|0i). 
Then, he sends the new quantum register away to a mea- 
suring apparatus in He,p which amplifies and stores each 
component |x) as a complex state \x)( E - p K The resulting 
state is a |O)( B ' p >|0o} + P |l) (£; ' p) |0i). Similarly, to gen- 
erate a random bit one simply maps |0) into a |0) +/3 11) 
and sends the register away in some part of He.p that will 
amplify and store it as a state a |0) (£ ' P) +/3 |1) (£ ' P) . The 
transmission of a classical bit x from Alice to Bob is rep- 
resented by a transformation that maps \x)^ E,A ^ |0)( E ' B ) 
into \x)( S ' A }\x)( s,B \ A similar transformation exists for 
the transmission of a classical bit from Bob to Alice. 

Now, let us assume that the total system is in a super- 
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position E 5s , 4A ,£ B a(? s ,?A,« B ) \Zs,U,tB) {E} \<l>( is ,u,iB)) 
where |£s, £,A, £b)^ corresponds to the random bi- 
nary string stored in the environment with probability 

\ a (Cs,U,tB)\ 2 and \<f>(ts,U£B)) is the corresponding col- 
lapsed state of Ha (8> Hb ■ The participant P can "read" 
the strings £p and £s and then choose the next action, 
measurements, etc. accordingly, but the allowed trans- 
formations must behave as if a collapse into the state 

I^(£s,£ai£b)) nas rean y occurred. 

c. Unconditional security and quantum bit commit- 
ment protocols. To realize bit commitment in the frame- 
work of quantum mechanics, the bit b that Alice has in 
mind must be encoded into a state \tpb) of Ha <8> Hb <8> 
He through a procedure commit(b). A bit commit- 
ment protocol must also include an optional procedure 
unveil(\tpb}) that can be used to return to Bob either the 
value of the bit 6 or, occasionally when Alice attempts 
to cheat, an inconclusive result denoted _L. The protocol 
is correct if the procedure unveil always return b on \ipb) 
when both participants are honest. 

Now, the encoding that is defined above does not al- 
ways make sense when Alice cheats. Alice might act 
without having any specific bit b in mind during the 
procedure commit, so as to choose it later. Given a 
fixed strategy used by Alice, let \ip'} be the state cre- 
ated by the associated modified procedure commit'. We 
denote p(b |not _L) the probability that unveil returns 
b on \ip') given that it has not returned _L. Alice can 
certainly choose the probability p(b\ not _L). This can 
be done via an honest encoding by choosing bit b with 
probability p(b\ not _L). However, after the procedure 
commit', Alice should not be able to change her mind 
about p(b \ not _L). Let unveil' be a procedure unveil 
modified by a dishonest Alice. Now, denote p'(b | not _L) 
as the probability that unveil' returns b on \ip'} given that 
it does not return _L The state \ip') perfectly binds Alice 
to p(b | not _L) if every procedure unveil' either returns 
_L with probability 1 or else returns b with probability 
p'(b\ not _L) = p(b \ not _L). In this case, we also say 
that I?/ 1 ') is perfectly binding. 

The encoding b i— > \ipb) makes sense when Alice is hon- 
est, but it can be modified by a dishonest Bob. Let 
n = (£b,£s) be the random classical information stored 
in He,b <8> Hs and available to Bob after this encod- 
ing. Let \ipb,rj) be the corresponding collapsed state of 
the system Ha <8> Hb <S> He, a- Denote psdVV;)) = 
T^Ha^He aG'^'mX^'mI) the reduced density matrix of 
Hb given r\. Let us define F(rj) = if n determines a 
single value of the bit b, otherwise let F(n) be the fi- 
delity H between pB(\tpo,n)) an d Pb(\iPi, v ))- The fidelity 
is never greater than 1 and is equal to 1 if and only if the 
two density matrices are identical. The modified encod- 
ing is said to be perfectly concealing if the random string 
n provides no information about b and the expected value 
of F(rf) is 1. This corresponds to the fact that a dishonest 



Bob should not be able to determine the bit b. A proto- 
col is perfectly secure if, (1) when Alice is honest, even if 
Bob cheats, the resulting encoding is perfectly conceal- 
ing, and, (2) when Bob is honest, even if Alice cheats, 
the resulting encoding is perfectly binding. 

Note that it is generally accepted that a perfectly se- 
cure bit commitment protocol is impossible. However, 
another almost as interesting level of security is possible. 
Consider a protocol with some security parameter n. For 
example, the security parameter n could correspond to 
the number of photons that must be transmitted. An 
encoding with parameter n is said to be concealing if, by 
an increase of the parameter n, it can be made arbitrar- 
ily close to perfectly concealing. Similarly, a state \ip) 
with an implicit parameter n is said to be binding if by 
an increase of the parameter n it can be made arbitrarily 
close to be perfectly binding. A protocol with parame- 
ter n is secure if (1) the state \ip) returned by commit 
is binding when Bob is honest and (2) the encoding is 
concealing when Alice is honest. This is the kind of secu- 
rity that we expect in quantum cryptography. Further- 
more, in quantum cryptography, we want any desired 
properties to hold even against a cheater with unlimited 
computational power! This means that there should be 
no restriction on the amount of time, space or technol- 
ogy available to the cheater. A property that holds even 
against such a cheater is said to hold unconditionally. In 
quantum cryptography, we want unconditionally secure 
protocols. This does not mean that we want perfectly 
secure protocols. 

d. The BB84 quantum bit commitment protocol. We 
say that an encoding b i— > \jp b ) is a bit commitment en- 
coding if it is concealing and |^o) an d l^i) bind Alice to 
and 1 respectively. It can be shown that even if both 
participants are honest, no protocol that is based on clas- 
sical communication between Alice and Bob can create 
a bit commitment encoding. So, it is of interest that a 
two-party quantum protocol was proposed in 1984 that 
realizes a bit commitment encoding when both partici- 
pants are honest M. The protocol fails when Alice cheats. 
In fact, the authors themselves have first explained their 
protocol together with Alice's strategy. 

In the BB84 coding scheme (which is not a bit commit- 
ment) a bit is coded either in a so-called rectilinear basis 
(|0) + , |l) + )orinthe diagonal basis ( |0) x , |l) x ), where 
|0> x =1/V2(|0>+ + |1)+) and|l) x =l/>/2(|0> + -|l> + ). 
In the commit procedure of the BB84 quantum bit com- 
mitment protocol, Alice creates a string of random bits 
w = w\ . . . w n . Then she codes each bit wi in the BB84 
coding scheme, always using the rectilinear basis 9 = + 
if she wants to commit a and the diagonal basis 9 = x 
if she wants to commit a 1. She sends these registers 
to Bob. Then, Bob chooses a string of random bases 
9 = 6 1 . . . 9 n e {+, x}", measures the register i in the 
basis 9i and notes the outcomes Wi . In the unveil proce- 
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dure, Alice has simply to announce the string w. Bob 
can determine the bit b by looking at the positions i 
where Wi ^ Wi. Bob knows that at each of these po- 
sitions 9 9i, and he knows the bases Oi. Any of these 
positions can be used to determine 9. If two of these posi- 
tions reveal different values for 9, Bob interprets it as an 
inconclusive result. The encoding is concealing because 
both b — and b — 1 correspond to the same fully mixed 
density matrix on Bob's side. Also, the state after the 
commit procedure is binding because in order to deceive 
Bob Alice would have to guess exactly the bits obtained 
by Bob when 9 L ^ 9. These bits are perfectly random. 
Therefore, she would only succeed with a probability that 
goes to when n increases. Note that unconditional se- 
curity does not mean a perfectly secure protocol. 

Now, we present Alice's strategy against the BB84 bit 
commitment protocol. In our model, for each random bit 
Wi, Alice creates the state: 

l/V2(|0)f' A) |0)« B) + 11)^11)^) (1) 

where the bit Wi is coded in the register to the left. For 
simplicity, we have assumed that the basis 9 is used for 
both registers. A dishonest Alice executes the honest 
commit algorithm for 6 = 0, except that she never sends 
anything away to the environment. In other words, for 
each position i, the state (Q) becomes the state: 

l/V2(|0)V A) |0>i S) + (2) 

Note that the states (|l|) and (g) are formally identical. 
Only the underlying systems are different. Nevertheless, 
this is cheating because now there exists a unitary trans- 
formation that Alice can execute on Ha that will trans- 
form this state into the state: 

l/V2Wx A Wx S) + |l) ( x>) ( x S) ), (3) 

which is the state that she would have created with a 1 
in mind. In this example, it turns out that the trans- 
formation is the identity transformation because these 
two states are one and the same state, but in general the 
cheater will have a non trivial transformation to execute. 

e. The proof. It is very easy to build a secure bit com- 
mitment protocol in which the initial state is already the 
outcome of a bit commitment encoding. So the follow- 
ing proof for the impossibility of bit commitment requires 
an assumption on the initial state. For simplicity we deal 
only with protocols where initially all quantum registers 
are set to |0) and there is no entanglement with the en- 
vironment. We prove that no quantum bit commitment 
protocol that starts in this state is unconditionally se- 
cure, unless a computing device such as a beam splitter 
can be trusted by both participants simultaneously. In 
our proof we assume that the protocol is secure against 
Bob. (Otherwise, the protocol is not secure and we are 
done). The proof has three main steps. First, we de- 
scribe Alice's strategy in a modified procedure commit' 



and Bob's strategy in a modified procedure commit". 
Second, we consider Bob's strategy in commit" and use 
the assumption that the protocol is secure against Bob 
to obtain that the expected value of the fidelity between 
the density matrices on Bob's side after commit' is arbi- 
trarily close to 1. Third, wc show that this implies that a 
procedure unveil' modified by Alice allows her to cheat 
after commit' . 

The first step. In the BB84 example, Alice's strategy 
in a procedure commit' was to choose b — and to never 
send a register away to the environment. However, in this 
particular example there was no classical communication 
from Alice to Bob. In the general case, in the modified 
procedure commit' , Alice chooses 6 = and never sends 
a register away to the environment except when this reg- 
ister contains a classical bit that she must transmit to 
Bob via the environment, using the phone for instance. 
Bob in commit" does as Alice in commit', that is, he 
never sends a register away to the environment unless it 
is required for classical communication. So, He, a is not 
used in commit' and He,b not used in commit" . 

The second step. Let 7 be the random string stored in 
Hs after commit'. Let \ip' bl ) be the corresponding col- 
lapsed state of the remaining system Ha <8> Hb <£> He,b- 
We want to show that the expected value of the fidelity 
F'(j) between the reduced density matrices psOV'b 7 )) 
for Hb ®He,b in commit' is arbitrarily close to 1. After 
commit" , the same random string 7 is stored in H$, but 
the corresponding collapsed state \tp' b y ) is now stored in 
He, a <8 Ha <8 Hb- However, as for the states (Q) and 
(||) of the BB84 example, the state \ip'^J) is formally 
identical to the state \ip' b ^). Also, because in commit' 
He. a has been replaced by a subsystem of Ha, a par- 
tial trace over Ha in commit' corresponds formally to 
a partial trace over Ha <8 He, a in commit" . Therefore, 
the density matrices psdV'fc 7 )) in commit' are identical 
to the corresponding density matrices pB{\ip b 7 )) for the 
system Hb in commit" . Also, in commit" the strings 
rj = (£b ; £s) and the string 7 = £g correspond to a same 
collapse because £b is the empty string. The expected 
value of F'(j) = F(n) (see section^) must be arbitrarily 
close to 1, otherwise Bob succeeds in commit" and this 
contradicts our assumption. 

The third step. For simplicity we first do the case where 
the expected value of F'(-f) is 1, that is, the density ma- 
trices are always identical. In this case, Alice can unveil 
the bit 6 = 1 because the work of || implies that, if 

def 

Pb (1^0,7)) = Pb (1^1,7)) = Pb, there exists a unitary 
transformation on Alice's side which maps \ipQ 7 ) into 
\M J). Consider the respective Schmidt decomposition 
|0 of and W hl ): 

i^ = £V^k- 0) >®i/i> 

i 

iv-i, 7 > = E^K (1) >^>- 
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In the above formula, Aj are eigenvalues of the three den- 
sity matrices ps, pA{Wo tl )) an d PA{Wi a ))- The fact 
that these three density matrices share the same positive 
eigenvalues with the same multiplicity is a direct con- 
sequence of the Schmidt decomposition theorem [p|,|l4"[. 



The states 



,( b )\ 



and \fi) are respectively eigenstates of 



PaQiP'i, j)) an< 4 Pb associated with the same eigenvalue 
Xi. The coefficients \f\l are real numbers, but any phase 
can be included in the choice of \e\ b '). Clearly, the same 
unitary transformation that maps |e l -°' ) ) into \e^) also 
maps IV'o^) m to Alice can compute the states 

and thus this unitary transformation with an arbi- 
trary level of precision. So, Alice can cheat when the two 
density matrices on Bob's side are always identical. 

Now, we do the case where the expected value of F"(7) 
is not 1 but arbitrarily close to 1. Note that F'(j) > 
is the fidelity between psiWo^)) and pb(|V'i, 7 ))- Any 
state |^oi) °f the overall system such that ps(IV'oi)) = 
ps(|?/'o 7 )) is called a purification of the density matrix 
Pb (1^0,7))' Because |^ 1)7 ) is a purification of PB{W\ n )), 
Uhlmann's theorem || says that there exists a purifica- 
tion |t/> i) of Pb(\%^)) such that 

^M n )>F'{ n ) (4) 

The fact that |?/>oi) is a purification of PbGV'o 7 )) implies 
that Alice in unveil' can transform \ip'o y) into |V'oi)i a s 
in the case where the density matrices are identical, and 
then continue with the honest unveil. Inequality ^| im- 
plies that the probability p 7 that unveil' returns 1 on 
|?/>o, 7 ) is greater than f(F'(j)) for some function f(z) 
such that lim 2 ^i f(z) — 1 (more details are given in [p"2||). 
This means that Alice can change the bit b that she un- 
veils to Bob from to 1 with a probability that goes to 
1 as the expected value of ^"(7) goes to 1. 

One key point is that the algorithm used by the dis- 
honest participant in commit' or commit" is formally 
identical to the algorithm used by the same but honest 
participant in commit. Therefore, no verification what- 
soever, including any verification based on measurement 
of time delay and the theory of special relativity, can be 
used by the honest participant in commit' or commit" 
to detect such a cheater. This concludes the proof. 

/. Conclusions. Because we have shown that bit com- 
mitment is impossible, we cannot hope to realize crypto- 
graphic primitives or applications which are known to be 
powerful enough to obtain bit commitment. On the other 
hand, there might exist secure protocols for coin tossing 
and most multi-party computations M,Jfl] because it is 
not known how to build bit commitment on top of them. 
Note that some tasks might not be powerful enough to 
obtain bit commitment and yet be impossible. What are 
the fundamental principles that make some tasks possi- 
ble and other tasks impossible? One could propose that 
all the tasks which involve only two parties are impossi- 
ble to explain why quantum key distribution is possible 



and bit commitment impossible. However, there might 
be other principles involved. For instance, in bit com- 
mitment an asymmetry is created. It could be that only 
the asymmetrical tasks are impossible. In this case, coin 
tossing would be possible. What tasks are possible is a 
fundamental question which yet remains to be answered. 

g. Acknowledgments The author acknowledges fruit- 
ful discussions with Charles Bennett, Gilles Brassard, 
Claude Crepeau, Lior Goldenberg, Jeroen van de Graaf, 
Tal Mor, Louis Salvail, Lev Vaidman, and William Woot- 
ters. The author also offers special thanks to the people 
of Maharishi University of Management who provided 
a great support for the writing of this letter. This work 
has been supported in part by DIMACS and by Quebec's 
FCAR. 



[8] 
[9] 
[10] 

[11] 
[12] 

[13] 



[14] 
[15] 



C. H. Bennett and G. Brassard, Proceedings of IEEE 
International Conference on Computers, Systems and 
Signal Processing, Bangalore, India, December 1984, 
pp. 175-179. 

C.H. Bennett, F. Bessette, G. Brassard, L. Salvail and 
J. Smolin, Journal of Cryptology, vol. 5, no. 1, 1992, 
pp. 3-28. 

C. H. Bennett and G. Brassard, C. Crepeau, M. Sku- 

biszewska, Proceedings of CRYPTO'91, vol. 576, 

Springer - Verlag, Berlin, 1992, pp. 351-366. 

G. Brassard, personal communication. 

G. Brassard and C. Crepeau, Sigact News, Vol. 27, no. 

3, September 1996, pp. 13-24. 

G. Brassard, C. Crepeau, R. Jozsa, D. Langlois, 
in Proceeding of the 34th annual IEEE Symposium 
on foundations of Computer Science, November 1993, 
pp. 362-371. 

C. Crepeau, J. van de Graaf, A. Tapp, Advances in 
Cryptology: Proceeding of Crypto '95, Vol 963, Springer - 
Verlag, Berlin, 1995, pp. 110-123. 

L. P. Hughston, Richard Jozsa and William K. Wootters, 

Physics Letters A, vol. 183, pp. 14-18, 1993. 

R. Jozsa, Fidelity for mixed quantum states, Journal of 

Modern Optics, vol. 41, no. 12, pp. 2315-2323, 1994. 

J. Kilian, Proceedings of the 20th symposium on Theory 

of Computing, may 1988, pp. 20-31. 

H-K. Lo and H. F.Chau, "Is quantum bit commit- 

ment really possib le?" , Los Alamos preprint archive 

quant -ph/9603004 March 1996. 



D. Mayers, "The trouble with quantum bit commit- 
ment", Presented at a workshop on quantum infor- 
mation theory, Montreal, October 1995. Available at 



http://xxx.lanl.gov/ps/quant-ph/9603015 Submitted to 
Journal of Cryptology. 

D. Mayers, Proceedings of fourth workshop on physics and 
computation, PhysComp '96, Boston, november 1996, 
pp. 226-228. 

E. Schmidt, Math. Ann. 63 (1906) 433. 

A. Yao, In Proceedings of the 26th Symposium on the 



4 



Theory of Computing, June 1995; pp. 67-75. 



5 



